* Re: [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
@ 2022-12-19 21:07 ` jpastuszek
2022-12-19 21:09 ` jpastuszek
` (15 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: jpastuszek @ 2022-12-19 21:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]
There is an updated pull request by jpastuszek against master on the void-packages repository
https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193
Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)
#### Testing the changes
- I tested the changes in this PR: **YES**
#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64 (print server)
The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.
I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash.
After this patch for client and server it all works (also tested with MacOS as a client).
The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.
A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 1000 bytes --]
From 0816a6360409e45b1dc956089c343b322c8f7a6b Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] re-enabled gnutls for cups since openssl IPPS printer server
is failing to generate self-signed certificate
---
srcpkgs/cups/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
# Template file for 'cups'
pkgname=cups
version=2.4.2
-revision=1
+revision=2
build_style=gnu-configure
make_install_args="BUILDROOT=${DESTDIR}"
hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
--enable-libpaper --with-menudir=/usr/share/applications \
--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
--with-rcdir=no \
+ --with-tls=gnutls \
$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
}
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
2022-12-19 21:07 ` [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default) jpastuszek
@ 2022-12-19 21:09 ` jpastuszek
2022-12-20 17:47 ` cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues) CameronNemo
` (14 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: jpastuszek @ 2022-12-19 21:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]
There is an updated pull request by jpastuszek against master on the void-packages repository
https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193
Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default)
#### Testing the changes
- I tested the changes in this PR: **YES**
#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64 (print server)
The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.
I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash.
After this patch for client and server it all works (also tested with MacOS as a client).
The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.
A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 925 bytes --]
From bcd6bafc5788854803161b2399ab803c7a1ca4e5 Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] cups: reverting to GunTLS backend
---
srcpkgs/cups/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
# Template file for 'cups'
pkgname=cups
version=2.4.2
-revision=1
+revision=2
build_style=gnu-configure
make_install_args="BUILDROOT=${DESTDIR}"
hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
--enable-libpaper --with-menudir=/usr/share/applications \
--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
--with-rcdir=no \
+ --with-tls=gnutls \
$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
}
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
2022-12-19 21:07 ` [PR PATCH] [Updated] Using GnuTLS for CUPS as TLS backend (fix broken new CUPS OpenSSL default) jpastuszek
2022-12-19 21:09 ` jpastuszek
@ 2022-12-20 17:47 ` CameronNemo
2022-12-20 22:01 ` [PR PATCH] [Updated] " jpastuszek
` (13 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: CameronNemo @ 2022-12-20 17:47 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 217 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1359899129
Comment:
You seem to have wrote "GunTLS" in the commit message. Should fix that.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PR PATCH] [Updated] cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (2 preceding siblings ...)
2022-12-20 17:47 ` cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues) CameronNemo
@ 2022-12-20 22:01 ` jpastuszek
2022-12-20 22:07 ` cups: reverting to GnuTLS " jpastuszek
` (12 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: jpastuszek @ 2022-12-20 22:01 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1473 bytes --]
There is an updated pull request by jpastuszek against master on the void-packages repository
https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193
cups: reverting to GunTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
#### Testing the changes
- I tested the changes in this PR: **YES**
#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64 (print server)
The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.
I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash.
After this patch for client and server it all works (also tested with MacOS as a client).
The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.
A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 925 bytes --]
From 977fa9c92f80fbbefb4c265833751a3baef45422 Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 13 Dec 2022 20:56:13 +0000
Subject: [PATCH] cups: reverting to GnuTLS backend
---
srcpkgs/cups/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0776928f2609..5a4ce8d0af76 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
# Template file for 'cups'
pkgname=cups
version=2.4.2
-revision=1
+revision=2
build_style=gnu-configure
make_install_args="BUILDROOT=${DESTDIR}"
hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
--enable-libpaper --with-menudir=/usr/share/applications \
--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
--with-rcdir=no \
+ --with-tls=gnutls \
$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
}
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (3 preceding siblings ...)
2022-12-20 22:01 ` [PR PATCH] [Updated] " jpastuszek
@ 2022-12-20 22:07 ` jpastuszek
2023-01-16 20:02 ` Vaelatern
` (11 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: jpastuszek @ 2022-12-20 22:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 236 bytes --]
New comment by jpastuszek on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1360383509
Comment:
> You seem to have wrote "GunTLS" in the commit message. Should fix that.
Fixed, thanks!
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (4 preceding siblings ...)
2022-12-20 22:07 ` cups: reverting to GnuTLS " jpastuszek
@ 2023-01-16 20:02 ` Vaelatern
2023-01-16 21:19 ` CameronNemo
` (10 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Vaelatern @ 2023-01-16 20:02 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 303 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384498468
Comment:
Gosh.
This breaks some users I guess? I'd like a signoff from at least one other contributor, ideally someone who uses cups themselves (I just don't print).
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (5 preceding siblings ...)
2023-01-16 20:02 ` Vaelatern
@ 2023-01-16 21:19 ` CameronNemo
2023-01-16 21:21 ` CameronNemo
` (9 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: CameronNemo @ 2023-01-16 21:19 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 362 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384562518
Comment:
GnuTLS is far from my favorite TLS implementation. Have you reported this issue upstream? Seeing as OpenSSL support was (re-)added <1 year ago (https://github.com/OpenPrinting/cups/pull/362), I assume it should work.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (6 preceding siblings ...)
2023-01-16 21:19 ` CameronNemo
@ 2023-01-16 21:21 ` CameronNemo
2023-01-17 0:17 ` Piraty
` (8 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: CameronNemo @ 2023-01-16 21:21 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 423 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384562518
Comment:
GnuTLS is far from my favorite TLS implementation. Have you reported this issue upstream? Seeing as OpenSSL support was (re-)added <1 year ago (https://github.com/OpenPrinting/cups/pull/362), I assume it should work.
See also: https://github.com/OpenPrinting/cups/issues/529
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (7 preceding siblings ...)
2023-01-16 21:21 ` CameronNemo
@ 2023-01-17 0:17 ` Piraty
2023-01-17 6:56 ` oynqr
` (7 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Piraty @ 2023-01-17 0:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 229 bytes --]
New comment by Piraty on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384690593
Comment:
maybe @oynqr can chime in, due to https://github.com/void-linux/void-packages/pull/33939
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (8 preceding siblings ...)
2023-01-17 0:17 ` Piraty
@ 2023-01-17 6:56 ` oynqr
2023-01-17 8:14 ` oynqr
` (6 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: oynqr @ 2023-01-17 6:56 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 325 bytes --]
New comment by oynqr on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384914605
Comment:
Building with openssl was not intended and I really should have double checked. We are probably going to need a message about the potential breakage with openssl generated certificates.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (9 preceding siblings ...)
2023-01-17 6:56 ` oynqr
@ 2023-01-17 8:14 ` oynqr
2023-01-17 12:04 ` oynqr
` (5 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: oynqr @ 2023-01-17 8:14 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 420 bytes --]
New comment by oynqr on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1384998872
Comment:
Just like mentioned in [this](https://github.com/void-linux/void-packages/pull/40467) PR, it's trying to use MacOS paths for certificates. I suspect [this](https://github.com/OpenPrinting/cups/blob/9b31bae0d0d0b436f5c48b737049bb0edf5f6b78/scheduler/conf.c#L607-L615) is the cause.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (10 preceding siblings ...)
2023-01-17 8:14 ` oynqr
@ 2023-01-17 12:04 ` oynqr
2023-04-18 1:51 ` github-actions
` (4 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: oynqr @ 2023-01-17 12:04 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 277 bytes --]
New comment by oynqr on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1385324089
Comment:
A fix has been merged upstream for the wrong paths, but OpenSSL-generated certs still get rejected by browsers even on git master builds.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (11 preceding siblings ...)
2023-01-17 12:04 ` oynqr
@ 2023-04-18 1:51 ` github-actions
2023-04-18 17:17 ` CameronNemo
` (3 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: github-actions @ 2023-04-18 1:51 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 305 bytes --]
New comment by github-actions[bot] on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1512321671
Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that. If this pull request is still relevant bump it or assign it.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (12 preceding siblings ...)
2023-04-18 1:51 ` github-actions
@ 2023-04-18 17:17 ` CameronNemo
2023-04-18 20:50 ` [PR PATCH] [Updated] " jpastuszek
` (2 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: CameronNemo @ 2023-04-18 17:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 270 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513534123
Comment:
If there is still the issue of the certs being rejected, then this should probably be merged (possibly after being rebased).
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PR PATCH] [Updated] cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (13 preceding siblings ...)
2023-04-18 17:17 ` CameronNemo
@ 2023-04-18 20:50 ` jpastuszek
2023-04-18 20:54 ` jpastuszek
2023-04-19 20:37 ` [PR PATCH] [Merged]: " Piraty
16 siblings, 0 replies; 18+ messages in thread
From: jpastuszek @ 2023-04-18 20:50 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1473 bytes --]
There is an updated pull request by jpastuszek against master on the void-packages repository
https://github.com/jpastuszek/void-packages cups-guntls
https://github.com/void-linux/void-packages/pull/41193
cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
#### Testing the changes
- I tested the changes in this PR: **YES**
#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64 (print server)
The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.
I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash.
After this patch for client and server it all works (also tested with MacOS as a client).
The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.
A patch file from https://github.com/void-linux/void-packages/pull/41193.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-cups-guntls-41193.patch --]
[-- Type: text/x-diff, Size: 925 bytes --]
From 239e7074c9e62b37fa4eef693cf9d92909d47c2d Mon Sep 17 00:00:00 2001
From: Jakub Pastuszek <jpastuszek@protonmail.com>
Date: Tue, 18 Apr 2023 21:27:33 +0100
Subject: [PATCH] cups: reverting to GnuTLS backend
---
srcpkgs/cups/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/cups/template b/srcpkgs/cups/template
index 0d8bc9185456..f1dc66f098d0 100644
--- a/srcpkgs/cups/template
+++ b/srcpkgs/cups/template
@@ -1,7 +1,7 @@
# Template file for 'cups'
pkgname=cups
version=2.4.2
-revision=3
+revision=4
build_style=gnu-configure
make_install_args="BUILDROOT=${DESTDIR}"
hostmakedepends="gnutls-devel pkg-config
@@ -42,6 +42,7 @@ do_configure() {
--enable-libpaper --with-menudir=/usr/share/applications \
--with-xinetd=/etc/xinetd.d --with-optim="${CFLAGS}" \
--with-rcdir=no \
+ --with-tls=gnutls \
$(vopt_if avahi '--with-dnssd=avahi') $(vopt_enable gssapi)
}
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (14 preceding siblings ...)
2023-04-18 20:50 ` [PR PATCH] [Updated] " jpastuszek
@ 2023-04-18 20:54 ` jpastuszek
2023-04-19 20:37 ` [PR PATCH] [Merged]: " Piraty
16 siblings, 0 replies; 18+ messages in thread
From: jpastuszek @ 2023-04-18 20:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 4559 bytes --]
New comment by jpastuszek on void-packages repository
https://github.com/void-linux/void-packages/pull/41193#issuecomment-1513782714
Comment:
After the update I could not get the certificate from CUPS:
```
$ curl https://localhost:631/ -v
* Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Recv failure: Connection reset by peer
* OpenSSL SSL_connect: Connection reset by peer in connection to localhost:631
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer
```
```
$ openssl s_client localhost:631
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
With the change to GnuTLS it works fine:
```
$ curl https://localhost:631/ -v
* Trying 127.0.0.1:631...
* Connected to localhost (127.0.0.1) port 631 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
```
```
$ openssl s_client localhost:631
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
verify return:1
---
Certificate chain
0 s:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
i:C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIEZD8CNDANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
UzEQMA4GA1UEAxMHbW9yZ2FuYTEQMA4GA1UEChMHbW9yZ2FuYTEQMA4GA1UECxMH
VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjAeFw0y
MzA0MTgyMDQ4NTJaFw0zMzA0MTUyMDQ4NTJaMGcxCzAJBgNVBAYTAlVTMRAwDgYD
VQQDEwdtb3JnYW5hMRAwDgYDVQQKEwdtb3JnYW5hMRAwDgYDVQQLEwdVbmtub3du
MRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytEwwoYJIM/5Y4DjaxNepiMoZJ3uVpZeD9ie
7TtxXf4MS0HWhwpuUGXuJQgJkCnKmprMzPZUPwQAgNs43+ukD+cFxZIuiJlEBcJy
RhSS9Kcwut9SdyjKK8TI6ts/T1FBQg6gE8fpeGPpUnwZdBey0llUTnpXTkwQoYFG
hYQxCfnSy6iOT5gUTkxji1Rm6rSINJub8bIRLEEXZNmCh2dytMDu4XHLdvOgPsP6
iVNeTlPr7RV2cpMTJnmiHHh8aq8a7stfrGEi1S9Ai79+AASEIH3AzEIaP/G/X5g0
rp3rzjTCXMzAM+z0wL5Y5qLEYHV0WUihsMWGhRajhDek/MiumwIDAQABo4GDMIGA
MAwGA1UdEwEB/wQCMAAwLAYDVR0RBCUwI4IHbW9yZ2FuYYINbW9yZ2FuYS5sb2Nh
bIIJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHQ4EFgQUU/C9Euz/SwbOkW/EMVHvvT5MCzswDQYJKoZIhvcNAQELBQAD
ggEBAIvEh2AmgKGEvAusVWy7D3OOqCGCiXiXGLkXY0QBg/fM0EefMrZ4IDAlB1kL
+gpD3j0o8NUjjUQrwMALLjQ9zdfrfoSjCpkxdaIWY+1LL/unInyRjqmX6Oxbq8H9
zH3KDZTpSgLbchKdzOB+KayYcOvnkSYl2hU7nHP82qdTOLMsiALNASWV2VbwPEhq
u9fJ62cCKZYT3gFYFkmlG13NOeHc0BURxkf4CMdA2XYNBUN+axa9StOnJW+MtCab
9W0yjytEVNTFzaNMn7oQZn0hLnaH9RQSLM+r5wcbwSnYjbjIyEXMtYwnQTqo8QYp
9mSQFOKVRC3nx0829FpIfPJyP5o=
-----END CERTIFICATE-----
subject=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
issuer=C = US, CN = morgana, O = morgana, OU = Unknown, ST = Unknown, L = Unknown
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1536 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
```
I have rebased the PR.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PR PATCH] [Merged]: cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
2022-12-19 21:03 [PR PATCH] re-enabled gnutls for cups since openssl IPPS printer server is faili… jpastuszek
` (15 preceding siblings ...)
2023-04-18 20:54 ` jpastuszek
@ 2023-04-19 20:37 ` Piraty
16 siblings, 0 replies; 18+ messages in thread
From: Piraty @ 2023-04-19 20:37 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]
There's a merged pull request on the void-packages repository
cups: reverting to GnuTLS backend (fix broken new CUPS OpenSSL default IPPS issues)
https://github.com/void-linux/void-packages/pull/41193
Description:
#### Testing the changes
- I tested the changes in this PR: **YES**
#### Local build testing
- I built this PR locally for my native architecture, (x86_64-libc) (print client)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
- aarch64 (print server)
The latest version of CUPS default to build against OpenSSL. Before that it was defaulting to GnuTLS. The template is written with GnuTLS in mind (dpes). This change brings back GunTLS as TLS backend.
I was having issues with IPPS (TLS over 631 port) with cups as a print server and as a client (IPP Everywhere). The server compiled against OpenSSL would fail when TLS client was connecting in with error pointing to issue with certificate generation. Also when provided with custom certificate cupsd would crash.
After this patch for client and server it all works (also tested with MacOS as a client).
The one thing I needed to do was to remove the certificates generated before (when cups was compiled against OpenSSL) (from /etc/cups/ssl) as they were not accepted by cups client.
^ permalink raw reply [flat|nested] 18+ messages in thread